title | description | author | ms.author | ms.reviewer | ms.date | ms.service | ms.subservice | ms.custom | ms.topic |
---|---|---|---|---|---|---|---|---|---|
Configure and use Always Encrypted with secure enclaves| Microsoft Docs |
Learn how to configure and use Always Encrypted with secure enclaves in SQL Server and Azure SQL Database, which enables richer functionality on sensitive data. |
Pietervanhove |
pivanho |
vanto |
11/14/2023 |
sql |
security |
ignite-2023 |
conceptual |
[!INCLUDE sqlserver2019-windows-only-asdb]
Always Encrypted with secure enclaves extends the existing Always Encrypted feature to enable richer functionality on sensitive data while keeping the data confidential. This article lists common tasks for configuring and using the feature.
For tutorials that show you how to quickly get started with Always Encrypted with secure enclaves, see:
Before you can use Always Encrypted with secure enclaves, you need to configure your environment to ensure the secure enclave is available for the database. You might also need to set up enclave attestation, if applicable.
The process for setting up your environment depends on whether you're using [!INCLUDEsql-server-2019] and later or [!INCLUDE ssazure-sqldb].
Set up the secure enclave and attestation in [!INCLUDE ssnoversion-md]
To set up Always Encrypted with secure enclaves without attestation, see:
- Plan for Always Encrypted with secure enclaves in SQL Server without attestation
- Configure the secure enclave in SQL Server
To set up Always Encrypted with secure enclaves and attestation, see:
- Plan for Host Guardian Service attestation
- [Deploy the Host Guardian Service for [!INCLUDE ssnoversion-md]](./always-encrypted-enclaves-host-guardian-service-deploy.md)
- Register computer with the Host Guardian Service
- Configure the secure enclave in SQL Server
Set up the secure enclave and attestation in [!INCLUDE ssazure-sqldb]
For details, see the following articles:
- [Plan for secure enclaves in [!INCLUDE ssazure-sqldb]](/azure/azure-sql/database/always-encrypted-enclaves-plan)
- [Enable Always Encrypted with secure enclaves for your [!INCLUDE ssazure-sqldb]](/azure/azure-sql/database/always-encrypted-enclaves-enable)
- Configure Azure Attestation for your Azure SQL Database logical server
Important
VBS enclaves in Azure SQL Database do not support attestation. Configuring Azure Attestation only applies to Intel SGX enclaves.
- Manage keys for Always Encrypted with secure enclaves - overview
- Provision enclave-enabled keys
- Rotate enclave-enabled keys
- Configure column encryption in-place using Always Encrypted with secure enclaves - overview
- Configure column encryption in-place with Transact-SQL
- Configure column encryption in-place with PowerShell
- Configure column encryption in-place with DAC Package
- Enable Always Encrypted with secure enclaves for existing encrypted columns